BeyondTrust Patch Tuesday

August 13, 2013

Microsoft Patch Tuesday

This month, Microsoft released eight patches that repair a total of 23 vulnerabilities. Of these vulnerabilities, there were 12 remote code execution vulnerabilities, five elevation of privilege vulnerabilities, three denial of service vulnerabilities, two information disclosure vulnerabilities, and one security feature bypass vulnerability.

Administrators are advised to patch MS13-059 and MS13-060 immediately to prevent exploitation by attackers.
Next, administrators should patch MS13-061, MS13-062, MS13-063, MS13-064, MS13-065, and MS13-066 as soon as possible.

Microsoft Rating:

CVE List:

Analysis:

This bulletin addresses 11 privately reported vulnerabilities in Internet Explorer, composed of nine memory corruption vulnerabilities, an information disclosure vulnerability, and an elevation of privilege vulnerability. The patch fixes how Internet Explorer handles process integrity level assignment, how certain character sequences are processed, and how in-memory objects are handled. An attacker that successfully exploited one of the memory corruption vulnerabilities would gain user level access to the target machine.

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones. There is no mitigation for the elevation of privilege vulnerability, CVE-2013-3186.

Microsoft Rating:

CVE:

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in the Unicode Scripts Processor. The patch fixes a memory corruption vulnerability that occurs when processing specific font types. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, use CACLS to restrict access to usp10.dll and disable Internet Explorer's ability to parse embedded fonts. Note: using CACLS to restrict access to usp10.dll may cause Firefox to not load.

Microsoft Rating:

CVE List:

CVE-2013-2393, CVE-2013-3776, and CVE-2013-3781

Analysis:

This bulletin addresses three publicly disclosed vulnerabilities in Microsoft Exchange: two remote code execution vulnerabilities and a denial of service vulnerability. The patch fixes the Oracle Outside In libraries that are used by Exchange within the WebReady Document Viewing feature. An attacker that successfully exploited one of the remote code execution vulnerabilities would gain the ability to execute arbitrary code in the context of LocalService on the affected Exchange Server.

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, disable the Data Loss Prevention feature and the WebReady document view.

Microsoft Rating:

CVE:

CVE-2013-3175

Analysis:

This bulletin addresses a privately reported elevation of privilege vulnerability in remote procedure calls in Windows. The patch fixes a failure to properly handle asynchronous RPC requests. An attacker that successfully exploited this vulnerability would gain the ability to execute code as another user.

Recommendation:

Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2859537)

Microsoft Rating:

CVE List:

CVE-2013-2556, CVE-2013-3196, CVE-2013-3197, and CVE-2013-3198

Analysis:

This bulletin addresses one publicly reported security feature bypass vulnerability and three privately reported elevation of privilege vulnerabilities in the Windows kernel. The patch fixes the Windows address space layout randomization (ASLR) implementation and how objects are handled in-memory in the kernel. A local attacker that successfully exploited one of the memory corruption vulnerabilities would gain kernel level access to the target machine.

Recommendation:

Deploy patches as soon as possible; no mitigation is available for the ASLR bypass vulnerability. To mitigate against the memory corruption vulnerabilities, use group policy to disable the NTVDM subsystem.

Vulnerability in Windows NAT Driver Could Allow Denial of Service (2849568)

Microsoft Rating:

CVE:

CVE-2013-3182

Analysis:

This bulletin addresses a privately reported denial of service vulnerability in the Windows NAT driver. The patch fixes how the NAT driver handles ICMP packets. An attacker that successfully exploited this vulnerability would be able to cause the system to stop responding until it is restarted.

Recommendation:

Microsoft Rating:

CVE:

CVE-2013-3183

Analysis:

This bulletin addresses a privately reported denial of service vulnerability in the ICMPv6 implementation on Windows. The patch fixes how the system allocates memory during the processing of certain ICMPv6 packets. An attacker that successfully exploited this vulnerability would be able to cause the system to stop responding until it is restarted.

Recommendation:

Microsoft Rating:

CVE:

CVE-2013-3185

Analysis:

This bulletin addresses a privately reported information disclosure vulnerability in Active Directory Federation Services (AD FS). The patch fixes an unintentional disclosure of account information through an open endpoint. An attacker that successfully exploited this vulnerability would gain access to account information.

Recommendation:

Feedback

The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.

Disclaimer

The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Notice

Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.